Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Law

Data processing agreement

advertisement 
DATA PROCESSING
AGREEMENT
Between [insert name] & [insert name]
ISA ref no: [state any ISA]
Dated: [state date]
Review date: [agree date for review. Ideally no more than 12mths after
initially agreed]
Version 1.0
Version no.
0.1
533570495
Amendments made
First draft version
Authorisation
1 of 5 | P a g e
1. Parties to the agreement:
[insert your organisational name]
[Insert third party provider name]
2. Contacts
[Insert organisation and name of person
responsible for this agreement, with contact
details]
[Insert name of person from the third party
responsible for this agreement, with contact
details]
3. Service to be provided
[Insert details of the service to be provided by the third party, making reference to any
existing contract, with reference numbers]
4. End date
[specify the date the agreement will end or if unknown, how this will be determined at a later
date]
5. Personal data to be provided to third party
[The information included here will depend on the nature of the service to be provided. If the
data processor is in place to provide a specific, limited service e.g. database maintenance,
processing standardised housing benefit applications etc. you should list the individual data
items to be provided e.g. name, address, DOB because it will be clear at the outset what
information is needed to provide the service. You should include volumes where known.
If the data processor will be providing a wider service e.g. managing the Council’s
complaints function, provision of social care services it will not be clear at the outset exactly
which items of personal information will be required to carry out the service because these
will vary by case and change over time. In this case, you should specify ‘classes’ of personal
data such as ‘contact information’, ‘medical history’, ‘family relationships’ as necessary.
Alternatively, if the contract with the third party has a clear specification setting out which
data are to be used then refer back to that specification.]
6. Purposes for which the data are to be used
[State the specific, limited purpose or purposes for which we are authorising the third party to
use personal data which we provide for the service specified in 3.
This will vary depending on information entered in 5. If a data processor is providing a
specified, limited service such as ‘payment processing’, the specific purposes for which it
can use the information should be stated e.g. to process payments from service users for
XYZ service. If a data processor is providing a wider service, you should state the general
purposes for which they are authorised to use the personal information e.g. to provide and
manage the Council’s complaints service.
Alternatively, if the contract with the third party has a clear specification setting out this
information then refer back to that specification.]
533570495
2 of 5 | P a g e
7. Transmission of personal data
[State how the Council requires personal information to be securely transferred or
transmitted between the two parties under this agreement e.g. encrypted disc sent by
Courier, emailed via secure email accounts, remote access by supplier. Seek advice from
ICT where necessary. Be prescriptive and set out procedures if necessary.]
8. Security of personal data
[Insert supplier name] must be provided with a copy of any appropriate policies for example,
Data Protection, Handling and processing of personal data, Information Security, Retention
schedules. The supplier must also ensure its staff are aware of their responsibilities under
the Data Protection Act 1998 and comply with this Act.
The third party supplier must also comply with the general requirements set out in Appendix
A to this data processor agreement.
9. Retention of personal data
Specify how long the third party will retain the personal information to be provided under this
agreement. Think about the purpose for which they are being provided with it – will they
need it once this purpose is served? If not, it should not be retained any longer. Set a date if
known, or refer to the date the agreement ends, plus any additional time they might be
required to retain it. Refer to Corporate Retention Schedules if required.
10. Destruction of personal data
Specify how the personal data to be provided under this agreement must be securely
destroyed by the third party e.g. disc returned to us in compliance with clause 6, disc
physically destroyed, data erased from third parties’ systems etc.
11. Subject access requests
In the event the Council receives a subject access request from an individual, outline the
procedures that the third party will have to follow to assist us e.g. by providing copies of any
personal data or related information.
12. Amending, transferring or deleting personal data
Set out the procedure the third party must follow if we ask them to amend, transfer or delete
any personal data we have provided under the terms of the agreement
13. Record-keeping and auditing compliance with this agreement
Set out how the Council will audit compliance with this agreement e.g. site visits to third
party; record-keeping; who in the Council will be responsible for the day-to-day management
of the agreement; where a copy of the agreement will be stored and how it will be monitored;
action plan for terminating the agreement etc.
14. Complaints
Set out the procedure and process to be followed in the event of a complaint/allegation of
misuse of the personal information against the third party
533570495
3 of 5 | P a g e
15. Breach of the data processor agreement
[insert provider name] acknowledges and agrees that [insert name] Council retains all rights,
title and interest in the personal data subject to this agreement. [insert name] Council
remains the Data Controller and is responsible for the processing carried out by the third
party.
On this basis, [insert provider name] will fully indemnify [insert name] in respect of any
monetary penalty issued by the Information Commissioner’s Office and any other claim, loss,
liability or costs incurred arising as a result of a breach of this Agreement or as a result of
any negligence or breach of statute or common law in processing the information disclosed
to it.
16. Signatories
For [insert name] Council:
For [insert provider name]:
Signed……………………………………
Signed……………………………………
Full name ……………………………….
Full name ……………………………….
…………………………………………….
…………………………………………….
Position…………………………………..
Position…………………………………..
…………………………………………….
…………………………………………….
Date………………………………………
Date………………………………………
533570495
4 of 5 | P a g e
APPENDIX A
General requirements in terms of security of personal data (clause 7 of the data
processor agreement)
The third party must:
1. Take appropriate technical and organisational measures to protect against the
unauthorised or unlawful processing of the personal data and against accidental loss or
destruction of, or damage to, the personal data (including having adequate back-up
procedures and disaster recovery systems) in order to comply with the seventh data
protection principle;
2. Ensure that only such of its employees who may be required to assist it in meeting its
obligations under the Agreement shall have access to the personal data. The third party
shall ensure that all employees used by it to provide the services as describe above and
as defined in the Agreement have undergone training in the law of data protection and in
the care and handling of personal data and have a valid enhanced CRB check/disclosure
(where appropriate);
3. Store the data it receives securely in line with policies and destroy it securely as directed
by the Council on date the Agreement ends;
4. Process the personal data only in accordance with the laws of the United Kingdom;
5. Not use the personal data for any purposes which are inconsistent with the purposes as
described above and as defined in the Agreement;
6. Not disclose the personal data to a third party in any circumstances other than at the
specific request of [insert name] Council;
7. In the event that any personal data in the possession or control of the third party become
lost, corrupted or rendered unusable for any reason, the third party will promptly restore
such personal data using its back up and/or disaster recovery procedures at no cost to
[insert name] Council;
8. In the event that any personal data in the possession or control of the third party become
lost, immediately inform [insert name] Council with a full report as to the circumstances;
9. Not transfer any personal data outside the European Economic Area unless authorised
to do so in writing by [insert name] Council.
---------------------------------------------------------------------------------------------------------------------------
533570495
5 of 5 | P a g e
Related documents
Storyboard Template - QI Planning
Storyboard Template - QI Planning
CCSS Sample Parent Letter - Oregon Department of Education
CCSS Sample Parent Letter - Oregon Department of Education
Document
Document
Transition Placement Letter
Transition Placement Letter
MCA Curriculum Slam Application
MCA Curriculum Slam Application
Talking Points for Talking to the Press
Talking Points for Talking to the Press
Ask Others to Donate Template
Ask Others to Donate Template
Download
advertisement